Ridding the Web of the XSS Scourge

Cross-site scripting (XSS)/SQL injection attacks have been blamed for numerous data breaches, perhaps most notably the nightmare of the Heartland Payment Systems data breach. This type of attack has been around for at least a decade.

However, the growing popularity of Web 2.0 applications and the tendency for programmers to continue with old, insecure code writing techniques make XSS one ofthe most deadly methods for hackers.

Cross-site scripting (XSS)/SQL injection attacks are all about gettingreasonable people to click on a compromised site, where malicious codejumps into their computers. The possibilities for hackers are endless.

Solutions for blocking XSS/SQL injection attacks exist. However, thesoftware industry seems sluggish in adopting more secure code-writingpractices.

“This wouldn’t be such an issue if software developers did a betterjob of securing their code. About 66 percent of all Web sites areinfected with XSS code. There is no real industry push to solve thisproblem,” Michael Sutton, vice president of security research at Websecurity firm Zscaler, told TechNewsWorld.

How It Works

Cross-site scripting/SQL injection attacks are one of the easiestmethods for hackers to use — in fact, it’s almost stupidly simple, according to Manoj Apte, vice president atZscaler. It requires very little expertise, and it’s easy to findvulnerable Web sites. Because it is so easy, he said, XSS is creating awhole new generation of script kiddies.

“A hacker inputs a malicious script into a Web site. Then innocentvisitors to that Web site click on that script to start the exploit,”Mandeep Khera, chief marketing officer for Web security firm Cenzic,told TechNewsWorld.

Of course, the malicious code is embedded in legitimate links orgraphics on the Web site. The site’s operator is not aware the site iscompromised.

“Cross-site scripting is the No. 1 threat on the Internet. Asmany as 80 to 90 percent of all Web sites have the infection,” saidKhera.

Hackers’ Goal

The aim of XSS malicious code is not much different than any othersoftware exploit. Hackers want your information. It’s another means toID theft.

“Attackers are mostly trying to steal peoples’ cookie sessions foraccess to legitimate Web sites,” Sutton said. “Today’s XSSvulnerabilities enable the next generation of Web-based worms.”

Once hackers have a real cookie session, they have that user’s ID.These cookie sessions can provide access to commercial Web sites, bankaccounts, social networking accounts, and more.

While XSS vulnerabilities have existed for the last 10 years, theseverity of the attacks is newer. For instance, it’s no longer practical for users to turn off Javascript and surf the Web. Javascript is nowubiquitous.

XSS Band-Aid?

Browser features such as NoScript offer end users an elementary buteffective method for limiting exposure to XSS attacks. The problem,however, is that many users cannot be bothered using it.

“The fact of the matter is that any current XSS protection is its owngreatest enemy. Take NoScript, for example. It does its job bypreventing the execution of all Javascript,” Tyler Reguly, seniorsecurity engineer for nCircle, a network and compliance auditing firm,told TechNewsWorld.

This is detrimental to user experience, so people don’t want to useit, he noted.

See No Evil

The XSS problem is growing out of control mostly because softwarevendors and security experts do not talk to each other, according toDanny Allan, director of security research for IBM Rational.

His company investigates software vulnerabilities. More than half ofall vulnerabilities involve Web-based malicious code over the last twoand a half years, he said.

“Our hosting operations revealed as many as 200 million XSS infectionsin the first half of this year,” said Allan.

Lack of training is a major reason for the rapid growth of XSSinfections, noted Khera.

“Programmers are not trained for secure coding. Many of them are notaware of the issue,” he said.

What’s Needed?

Why do bad guys rob banks? Simple: That’s where the money is. Thatsame reasoning explains why hackers flock to XSS attack methods.

Even wanna-be hackers can easily find Web sites that detail over 100ways to create XSS exploits, according to Allan. As a result, the XSSproblem will get a lot worse before it starts to get better, heconcluded.

“We’re dealing with two different problems. One is XSS attacksagainst servers. The other is XSS attacks against end users,” Allanexplained.

To fix what is broken, software developers have to focus on securityfrom the ground up. However, that means new projects, which take time.Programmers need to go back and plug existing security holes.

“This is such a prevalent problem that programmers have to go back tofix all their old code,” said Khera.

Insurmountable Problem?

Fixing old code is easier said than done. Cenzic researchers often findhundreds of vulnerabilities when they test Web sites.

“Programmers can’t fix them all. So they must start to prioritize,starting with making XSS vulnerabilities a priority. It is really arace against time. It’s not a matter of if but when. End users willget attacked. It is really very bleak,” warned Khera.

Some New Thinking

Despite Khera’s stark views, Allan sees some glimmer of hope thatattitudes within the software industry are starting to change.

A cultural change in code writers’ mindsets is slowly taking place.Some programmers are beginning to realize that they have to change theold ways of building software, he said.

“Some organizations are now saying let’s stop being reactive. Thereis a new awareness for proactiveness. The old paradigm is changing,”Allan said. “Still, it takes time for people to change the way theybuild software. We need more of a engineer approach in buildingsoftware.”

Inspection Time

Web security firms have the tools to find XSS exploits; it’s just that the often cannot remove them.

Some Web browsers and plug-ins provide help in letting end usersknow of potential cross-site scripting threats. That’s one bigimprovement in Microsoft’s Internet Explorer 8 and the NoScript add-onavailable in the open source Web browser Firefox,according to Sutton.

The key to solving the XSS vulnerability issues restswith IT staff at enterprises, said Sutton. All that most companies do for security is provide workers with desktop antivirus programs and URL filtering viathe corporate network.

“Neither one protects from XSS vulnerabilities. It comes down tosecurity people at companies being proactive. They need to inspect thecontent,” Sutton said.

No Cure?

This Web 2.0 world in which we live in is only going toexacerbate the issue of XSS, according to Tyler.

“If we take a look at the last month of Facebook bugs, over 9,700Facebook applications were found to be vulnerable. This is becauseFacebook has created an API that allows third parties to offerapplications on the site. These applications are what makes Facebookso popular, and they are what makes the end user so vulnerable,” saidTyler.

Tyler is not sure whether the software industry will ever solve the XSS issue.Ideas are floating around to alleviate the problem, but none of themare perfect, he concluded.

“And until that perfect solution exists, we’re stuck with a user basethat would rather accept the risk — that is, until they find theircredit card has been used halfway around the world, and they can’tunderstand how it happened to them,” said Tyler.

Some Hope Exists

Several countermeasures exist to deal with cross-site scriptingattacks, according to Symantec’s Zulfikar Ramzan, technical directorfor Symantec Security Technology and Response. For instance, Web sitescan take various input validation measures to ensure that the querystring that appears in the URL right after the location of theparticular file to be accessed only contains legitimate data, asopposed to code.

“There are also tools that look for common mistakes made by Webdesigners, which can sometimes cause sites to be vulnerable tocross-site scripting attacks,” Ramzan told TechNewsWorld.

Despite these solutions, the reality is that these attacks continue tooccur — sometimes on the Web sites of very highly-regarded financialinstitutions. In fact, the attackers themselves have automated toolsto find vulnerable sites, he added.

Final Thoughts

The proper way to defend against this attack is to sanitize user inputbefore it ends up back on an end user’s browser. Simply encoding thepotentially dangerous scripting tags so that they do not get executedas code on the browser goes a long way, according to Rob Cheyne, CEOof Safelight Security Advisors.

“When I teach application security classes to developers, I alwayspoll the audience to find out their level of understanding of aparticular attack. From what I have seen, many developers have heardof the common attacks such as SQL injection and cross-site scripting,but most have not actually seen the attacks fully exploited,” Cheynetold TechNewsWorld.

Therein lies the problem. Until people see the repercussions, they arenot as inclined to go back into their code and clean up the issues.This leads to the state that we are in today, he said.

Since people fail to take the issue seriously, even at some of thelarge financial services firms, his researchers occasionally seeapplications that are riddled with cross-site scripting errors — andthese are the folks who are on the bleeding edge of security, saidCheyne.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

Technewsworld Channels